Malicious Emails

How to Identify Them and How to Protect Yourself

1.Identify the Sender

This is the first thing you should do whenever you receive an email, especially if:

It is requesting sensitive information

It asks you to click a link

It contains an attachment

Did you verify my email address before clicking the link to this slideshow?

1.Identify the Sender

nick@youritcompany.net

nick@yourltcompany.net

This is the most important portion of an email

address: the portion after the @ symbol.

It’s called the domain and usually you can trust it

to tell you where an email came from.

In some cases though, you can’t. We’ll cover how to identify

those situations later.

An attacker may attempt to mislead you with a

domain designed to look legitimate.

Can you identify the problem with this email

address?

Notice the lowercase “L” disguised as an “i”

1.Identify the Sender

nick@yourtechsupport.com

help@microsoft-techsupport.biz

support@dropbox-usa.net

info@googlefinancialpartners.com

Attackers will often use domains that sound

legitimate, when in reality they have no

association with the company they’re pretending

to represent.

help@microsoft.com

support@dropbox.com

info@google.com

vs

vs

vs

Some examples

1.Identify the Sender

nick@youritcompany.net

microsoftsupport@yahoo.com

irs-fraud@frauddepartment.ru

Attackers will also try to make this portion

misleading in an attempt to fool you.

Don’t fall victim to spoofs like this.

2.Screen the Links

OK, so you’ve verified the sender as someone legitimate.

This does not mean that you’re free to explore

any content they’ve sent you.

2.Screen the Links

Emails can contain links to malicious websites, or

attachments with malware disguised as

documents.

What if one of your contacts has had their email

account compromised? By clicking a link or

downloading an attachment, you could be

walking into a trap without even knowing it.

Often times when an attacker has gained access

to an email account, the attacker will attempt to

compromise each of the victim’s contacts as

well.

malware is an umbrella term for things like viruses, ransomware, and spyware

or what if the domain has been spoofed and the sender looks like someone from your organization?

2.Screen the Links

Website links have two parts:

A web address

A picture or display text

Attackers will often use

display text to disguise a

malicious web address.

They can also use

pictures or buttons, so be

on your toes

2.Screen the Links

These Links…

Click Here to Track Your Package

https://www.yourbank.com/

wikipedia.org

...Could Actually Be These Links

http://www.ransomware-download.com/

http://www.stealyourpassword.net/

http://www.illegalstuff.info/

2.Screen the Links

Hover Over Your Links

If you hover over a link with your mouse, you will

be told exactly where the link wants to take you.

It works whether you’re on a Mac or a PC.

It works whether you’re in Outlook or in Chrome.

It will work almost anywhere you see a link to a website.

Sometimes it will pop up in a box next to your cursor.

Sometimes it will pop up in the corner of your screen.

But it will pop up somewhere - look for it.

2.Screen the Links

Identify the Domain

Similar to a fraudulent email address, you’ll want to verify the domain of the website you’re being linked to.

It will tell you where you’re actually going.

So how do you identify the domain of a website?

2.Screen the Links

http://www.mydomain.com/home-page.html

First, anything preceding :// can be ignored

We can also ignore anything after the first forward slash

The domain is the last portion of what’s left. It is made up of the final two segments surrounding the final dot

2.Screen the Links

http://google.trustworthy.biz/

http://drive.google.com/my-document.doc

http://netflix.com/s4909sHTHS4802s!thjmod=4

http://microsoft.com.pc-hosting.ru/

bankofamerica.online.silverfish.net

en.wikipedia.org/wiki/Main_Page

Messenger.facebook.hostbin.com

www.qooqle.com

trustworthy.biz

google.com

netflix.com

pc-hosting.ru

silverfish.net

wikipedia.org

hostbin.com

qooqle.com

Can You Identify the Domain?

Attackers will try to mislead you with website domains too.

2.Screen the Links

Unlike an email address, website domains cannot be faked.

Track Package http://looksnormal.com/redirect http://bad-website.com/virus

They can redirect you though, so be careful.

3.Don’t Trust Attachments

You should NEVER open an email attachment blindly

By simply clicking it, you could compromise your security and risk spreading the

attack to your peers.

The safest precaution you can take is to identify the type of file it contains.

Every file has a type, and you can tell what that is by its file extension.

3.Don’t Trust Attachments

Here are some familiar file extensions:

.doc .docx

.xls .xlsx

.ppt .pptx

.pdf

.txt

Word Document

Excel Spreadsheet

PowerPoint

PDF

Text File

Similar to the .com or .net of a domain, the file extension will be that last portion of the file name.

3.Don’t Trust Attachments

Here are some more file extensions:

.exe

.bat

.js

.docm .xlsm .pptm

Executable

Windows Script

JavaScript

Office Document with Macros

These extensions are called executables and are normal too.

The difference is that they can make your computer perform specific actions.

Put another way, they can control your computer.

This is why you should always ensure you trust an executable’s source - verify what it is and where it came from.

3.Don’t Trust Attachments

If you receive an executable in an email attachment, you should assume it is malware

3.Don’t Trust Attachments

Attackers will attempt to disguise file types

Just like with domains

august-sales-numbers.exe

invoice324.pdf.exe

fedexshippinglabel.bat

sales-projections.xlsx.js

Example

This is an actual malicious email

David, a friend of mine, has had his account compromised. Posing as David, the attacker has sent me this message intended to gain my confidence.

Let’s examine it.

Here we have what appears to be a personalized message from David

Does this sound like David?

Am I expecting an email like this from David?

Notice the attempts to legitimize the appearance of the email.

It even contains legitimate links to further disguise itself.

Don’t forget to hover!

Be on the lookout for inconsistencies

Immediately this email raises suspicion.

David’s never used Docusign before.

David would never use phrasing like “bumped

into my mind.”

Aren’t articles usually links to websites? I’ve

never received one as an attachment

before.

Why would a signing service host an article

anyway?

Who is Dawn Dickinson and why does it say

she sent this message?

Assessment

At this point you should report this email to

your IT department, and ignore anything it asks

you to do.

You should also contact David via some

method other than email to figure out if he

actually sent this, or if he’s been compromised.

Assessment

This email appears to have an attachment as

well.

We’ve already determined this email is a

threat. At no point should you open it.

Assessment

We will examine it here purely for demonstration.

By investigating the attachment we can confirm

it is a PDF file.

Assessment

This is our attachment

More attempts to legitimize

the appearance.

FAKE!

Assessment

This is our attachment

This particular attack is

sneaky.

It hides a malicious link inside of a harmless PDF, instead of putting it directly in the email body.

This way it’s able to bypass my spam filter.

FAKE!

Assessment

This is our attachment

By hovering, we can see

where these links actually

take us.

FAKE!

Assessment

This is our attachment

By hovering, we can see

where these links actually

take us. I don’t recognize this domain

FAKE!

Assessment

Under no circumstances

should you click those

links.

By this point you should

have already reported

this email to your IT

department.

FAKE!

Assessment

I will open this link for demonstrational purposes.

Do not attempt this on your own.

This is where the link takes us.

FAKE!

Notice how this website is posing as Docusign.com

FAKE!

By examining the domain, however, we can see otherwise

We also see that bostools.ec (the domain linked in the attachment) redirected us to technocoatings.net

Remember links can redirect you to different destinations.

This is why it is important to evaluate the legitimacy of an email.

By clicking this button here, I’m taken to the following page... FAKE!

Again, we see an illegitimate domain

Yet it is disguised as a Microsoft

login page

Were you to enter your login

information here, you would be giving

the attacker your email address and

password FAKE!

This is called phishing.

There are thousands of these attacks circulating through email at any given moment.

FAKE!

Just to give you an idea

289,371

20 million

$1.6 million

New phishing websites discovered

New malware strains discovered

Average cost of a phishing attack

Sourceshttp://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdfhttps://blog.cloudmark.com/2016/01/13/survey-spear-phishing-a-top-security-concern-to-enterprises/

Between January and March of 2016

Don’t Be a Victim

1

2

3

Identify the sender

Screen the links

Don’t trust attachments

Report anything suspicious to your IT department. They are paid to ensure your company’s security.

Security Products Help

The most effective safety measure is you

but they only get you so far